Krebs on Security

In-depth security news and investigation

Banks: Card Thieves Hit White Lodging Again

For the second time in a year, multiple financial institutions are complaining of fraud on customer credit and debit cards that were all recently used at a string of Marriott properties run by hotel franchise firm White Lodging Services Corporation. White Lodging says it is investigating, but that so far it has found no signs of a new breach.

In January 31, 2014, this author first reported evidence of a breach at some White Lodging locations. The Merrillville, Ind. based company confirmed a breach three days later, saying hackers had installed malicious software on cash registers in food and beverage outlets at 14 locations nationwide, and that the intruders had been stealing customer card data from these outlets for approximately nine months.

Fast-forward to late January 2015, and KrebsOnSecurity again began hearing from several financial institutions who had traced a pattern of counterfeit card fraud back to accounts that were all used at Marriott properties across the country.

Banking sources say the cards that were compromised in this most recent incident look like they were stolen from many of the same White Lodging locations implicated in the 2014 breach, including hotels in Austin, Texas, Bedford Park, Ill., Denver, Indianapolis, and Louisville, Kentucky. Those same sources said the compromises appear once again to be tied to hacked cash registers at food and beverage establishments within the White Lodging run hotels. The legitimate hotel transactions that predated fraudulent card charges elsewhere range from mid-September 2014 to January 2015.

Contacted about the findings, Marriott spokesman Jeff Flaherty said all of the properties cited by the banks as source of card fraud are run by White Lodging.

“We recently were made aware of the possibility of unusual credit card transactions at a number of hotels operated by one of our franchise management companies,” Flaherty said. “We understand the franchise company is looking into the matter. Because the suspected issue is related to systems that Marriott does not own or control, we do not have additional information to provide.”

I reached out to White Lodging on Jan. 31. In an emailed statement sent today, White Lodging spokesperson Kathleen Sebastian said the company engaged a security firm to investigate the reports, but so far that team has found no indication of a compromise.

“From your inquiry, we have engaged a full forensic audit of the properties in question,” Sebastian wrote. “We appreciate your concern, and we are taking this information very seriously. To this date, we have found no identifiable infection that would lead us to believe a breach has occurred. Our investigation is ongoing.”

Sebastian went on to say that in the past year, White Lodging has adopted a number of new security measures, including the installation of a third-party managed firewall system, dual-factor authentication for critical systems, and “various other systems as guided by our third-party cyber security service. While we have executed additional security protocols, we do not wish to specifically disclose full details of all security measure to the public.”

TOKENIZATION VS. ENCRYPTION

Flaherty said Marriott is nearing completing of a project to retrofit cash registers at Marriott-run properties with a technology called tokenization, which substitutes card data with placeholder information that has no intrinsic or exploitable value for attackers.

“As this matter involves Marriott hotel brands, we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us and we will continue to monitor the situation closely,” he said. “Marriott is currently on track to have all our U.S. managed systems fully tokenized within the month or so.”

Pressed on whether White Lodging also was using tokenization, Sebastian said the front desk systems at all White Lodging-managed Marriott properties are fully tokenized, and that payment terminals at other parts of the hotel (including restaurants, bars and gift shops) “are transitioning to tokenization and are scheduled to be fully tokenized by the end of the second quarter.”

Tokenization as a card security solution tends to be most attractive to businesses that must keep customer card numbers on file until the transaction is finalized, such as hotels, bars and rental car services. A January 2015 report by Gartner Inc. fraud analyst Avivah Litan found that at least 50 percent of Level 1 through Level 3 U.S. merchants have already adopted or will adopt tokenization in the next year.

Merchants retain tokens because they need to hang on to a single unique identifier of the customer for things like recurring billing, loyalty programs, and chargebacks and disputes. But experts say tokenization itself does not solve the problem that has fueled most retail card breaches in recent years: Malware remotely installed on point-of-sale devices that steals customer card data before it can be tokenized.

Gartner’s Litan said an alternative and far more secure approach to handling card data involves point-to-point encryption — essentially installing card readers and other technology that ensures customer card data is never transmitted in plain text anywhere in the retail environment. But, she said, many businesses have chosen tokenization in favor of encryption because it is cheaper and less complicated to implement in the short run.

“Point-to-point encryption involves upgrading your card readers, because you want the encryption to happen not at the software level — where it can be hacked — but at the hardware level,” Litan said. “But it’s expensive and there aren’t a lot of approved vendors to chose from if you want to pick a vendor who is in compliance” with Payment Card Industry (PCI) standards, violations of which can come with fines and costly audits, she said.

Merchants that adopt point-to-point encryption may also find themselves locked into a single credit card processor, because the encryption technology built into the newer readers often only works with a specific processor, Litan said.

“You end up with vendor or processor lock-in, because now your equipment is locked in to one payment processor, and you can’t easily just change to another processor if you’re later unhappy with that arrangement because that means changing your equipment,” Litan said.

In the end, many businesses — particularly hotels — opt for tokenization because it can dramatically simplify their process of proving compliance with PCI standards. For example, merchants that hold onto customer card data for a period of time until a transaction is finalized may be required to complete a security assessment that demands proof of compliance with some 350 different PCI requirements, whereas merchants that do not store electronic cardholder data or have substituted that process through tokenization likely have about 90 percent fewer PCI requirements to satisfy.

“In a lot of cases, it’s really less about security and more about simplifying PCI compliance to reduce the scope of the audit, because you get big rewards when you don’t store credit card data,” Litan said. “Unfortunately, the PCI standards don’t have the same kind of rewards when it comes to securing card data in-transit [across a retailer’s internal network and systems] which is what point-to-point encryption addresses.”

Merchants in the United States are gradually shifting to installing card readers that can accommodate more secure chip cards that adhere to the Europay, MasterCard and Visa or EMV standard. These chip cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied by point-of-sale malware.

Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

Newer, EMV/chip-based card readers can enable a range of additional payment and security options, including point-to-point encryption and mobile payments, such as Apple‘s new Apple Pay system. But integrating EMV with existing tokenization schemes can also present challenges for merchants. For example, Apple Pay uses a separate EMV tokenization process.

“This means that merchants who use their own tokenization system and choose to accept Apple Pay payments will end up with multiple tokens for one card number, defeating a major reason why many merchants adopted tokenization in the first place,” Litan said.

This entry was posted on Tuesday, February 3rd, 2015 at 3:34 pm and is filed under Data Breaches.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

WhiteLodging is offering one year of complimentary personal identity theft protection services, provided by AllClearID, to those affected by this incident.

If you desire to enroll in the AllClearID service you will be able to do so via the Internet at whitelodging.allclearid.com. …or “call 1-855-865-4453”..

Note: If you decide to enroll in the credit monitoring service you will be required to provide your Social Security number to verify your identity. For non-U.S. residents the service offering will vary.

Yes, thank you very much, but can’t I get allclearid.com as an free incentive to book a stay at a White Lodging in the near future? (as opposed to staying somewhere else?) Provided of course that I give you in advance my social security #, my credit card information and my Mother’s maiden name (as a security code feature).

I look forward to hearing from you and staying at White Lodging in the near future and beyond.

You say that you are “hearing things”, the hotel admits they are investigating (likely because you incited the panic for a headline) yet they have found no evidence, and then you “educate” the audience on tokenization. So from a readers stand point the last thing I would deduce from this information is what your headline states.

Your headline reads “Card thieves hit White Lodging again”. Typically a claim like this is backed up with some kind of evidence, even circumstantial. Based on the facts of your story, you likely should have kept this one in your notebook.

Speaking of attention to detail, I wrote nothing about a “devious website”. In your case, anger management sessions with a qualified professional or even mindfulness practice (meditation, deep breathing exercises, guided imagery, etc…) can help you relax in a manner that can help you to stay focused on tasks in the here and now. After all, it’s just not healthy to let negative emotions hijack your persona.

When you have credible sources and the great track record that Brian has in revealing such compromises. You can release early versions of these stories. As an individual that works in the card industry I relied on these early postings to get a leg up and protect my card holders.

Ah, I see. So I’ve spoiled you, is that it? Used to me being able to work out that a company has had a breach but also where their customers’ cards are being sold? Well, give it time. I don’t have that (yet), but rest assured someone is selling them.

Based on Brian’s credibility, I’m more than willing to trust his assertion.

I think Brian’s bias is more toward protecting individuals than contributing to s delay in releasing information related to a repeat breach that seems to have been going on for a considerable period of time.

Brian referred to banks complaining and supplied references, if you read you will see so. Dan may have his own agenda. Personally I believe in boycotting every bank (card) and merchant that finds itself breached, especially if it comes out with a deceptive “we see no evidence” public statement.

Tokenization vs. Encryption is not an either/or proposition. Ideally you will do both.

With the need to retain card data for later charges, you have to get a token back from the bank, but ideally you will use point-to-point encryption to initiate the transaction and secure it there.

But just implementing encryption without tokenization means that you’d be storing the credit card number, which makes you still subject to a hack where they steal your file of credit cards and then decrypt them. With a token, the only place the token can be used is at your merchant location, so the value to a hacker is nil.

On the logical IT progression, it makes sense to implement tokenization first, and then do encryption. Unfortunately, as Brian points out, many of the recent hacks happen in memory, which comes before the token is created.

““As this matter involves Marriott hotel brands, we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us and we will continue to monitor the situation closely,”
Corporate boilerplate is a new literary art form worthy of scholarly attention because the text is designed to soothe an enraged populace that has just been harmed by a gigantic blunder. Corporate boilerplate was recently quoted in the New York Times article entitled “Verizon Wireless to Allow Complete Opt Out of Mobile ‘Supercookies’ ” where the classic format of “Verizon takes customer privacy seriously and it is a central consideration as we develop new products and services. ” Here the cliché “takes customer privacy seriously” is once again rolled out to do its duty. As for me, I think my next tome will be “The Art and Science of American Boilerplate Writing”, a work worthy of the Ig Nobel Prize for Literature.

Just because White Lodging and the security firm they hired haven’t found the breach (yet) doesn’t mean it doesn’t exist. I think the previous breach and the banks tracing are more than enough circumstantial evidence to “warrant” Brian’s article.

As a consumer that’s been inconvenienced by BOTH the Target and Home Depot breaches, I’m fed up with these breaches! Just today I received a notice I was being issued a new card, again!

Just a thought I’ve been having…couldn’t retail companies use an imaging system to multicast a new image on every POS device on a regular basis, even daily in some cases? It can easily be multi-casted and POS terminal images can’t be that large so remotely dropping them on the terminals would take very little time. I’m not an expert on POS devices, though. It just seems to me that someone could easily create infrastructure that wipes a POS device daily, weekly, or whatever and thus the malware exposure stays minimal. I know it can’t be done immediately but from my perspective, creating a dynamic environment for POS terminals can’t be that difficult.

If that could be done, then it would put the onus on the technical team to keep the imaging servers safe which will be a lot less of a headache than trying to keep every POS node safe. There are plenty of solutions out there that can monitor file integrity so keeping the image files safe wouldn’t be too difficult. Obviously this is still very dependent on having a secure network that doesn’t have malware sitting and waiting to discover POS devices but it does reduce exposure.

Again, I’m no expert on POS devices but I have been in technology for a very long time and it just doesn’t seem like much of a hurdle to create an environment that keeps POS devices fresh instead of trying to use technology to stop every single one from being compromised.

Yes, but easier said than done. We have discussed doing that, or moving to something like deepfreeze where changes are dropped on reboot, but the costs per machine are not cheap, and in our case, the imaging would not work due to the small bandwidth pipes we have to our retail locations.

Just bad all around. Take cash with you on a vacation, risk losing it all. Use your credit card, risk have it stolen. How to solve this problem? Just stay at home. No, but really, why aren’t hotels investing in tighter security? This seems to be the theme in the hospitality service over the past seven months and it speaks to the need to do more, most definitely.

Would you agree, with the assumption that these “businesses” need to be more reactive to the intrusions? These pos devices that are used, must have been closely tampered with. Would that be the old xp image, or even older system images. Are they reflashing with old unsecured images, and reinstalling the same bugs? Could their backup power supplies at the pos be bad, causing the unit to reflash? It makes one wonder?

In response to both Brian’s points in the article and a couple of comments, my belief is that point-to-point encryption combined with tokenization is the best solution to the merchant’s problems with regard to payment processing security.

Hardware-level encryption of the card swipe and/or account number keyed in ON THE PINPAD provides the first part (P2PE) and a hosted payment gateway service provides the second part (tokenization).

By using a payment gateway as the endpoint of the P2PE solution, the hardware tie to a single payment processor is eliminated.

I have implemented for my company a solution with Verifone’s Payware Connect platform. Their P2PE (Verishield Protect) is designed so that the encryption keys are loaded in to each PinPad and the matching key for decryption is loaded into a hardware decryption appliance inside of their payment gateway system.

In this method, the card data is encrypted in the tamper-evident MSR in the pinpad and our point of sale software forwards that payment card info on to the payment gateway. Inside the gateway, the encrypted card data is decrypted and the correct message format is created for forwarding to our chosen payment processor. When the response is received, the encrypted data is replaced in the response message with a tokenized version of the card data – which is what we store in our transaction database.

The encrypted card data is only in our systems for a few seconds, and is then discarded. No one in our organization has – or has any access to – the keys to decrypt the card data.

Within our systems, we never have clear-text cardholder data.

This system allows us to change processors and/or banks as needed – something we have done once in the four years we have been running P2PE – without having to replace any payment devices in our stores.

The drawback of this solution? We pay a per-transaction fee for the hosted gateway services from Verifone. We are a medium- to large- sized retailer of national scope with relatively few transactions based on revenue (we have a high average ticket price) so the cost savings in PCI compliance costs and the combination of security and flexibility this method has given us are worth the added per-transaction fee we pay for gateway services.

If we were significantly larger in transaction volume, the financial calculation might be different, but I think for retailers approximately our size or smaller (high hundreds of millions of dollars per year in credit/debit card volume and several hundred stores in the US) hosted payment gateways that support P2PE and tokenization are a real solution in the market as mature technology today.

For the Targets or Home Depots of the world, this is probably not financially viable to have a hosted payment gateway. Those retailers though could still use P2PE WITHIN their network to reduce the surface area that they need to defend from attacks. The same payment equipment can be purchased and the decryption hardware appliance can be hosted internally – requiring higher levels of security at the payment switch level within a corporate network, but eliminating the risk of windows-based POS systems out in stores being compromised.

But, for smaller retailers a hosted payment gateway solution that handles the P2PE is a viable alternative if they can find Point of Sale software vendors that are integrated to a solution.

I do believe though, that no matter what approach is taken, the most secure is P2PE FIRST and then tokenization. As soon as cardholder data leaves the more secure operating environment of the pinned itself and crosses into either the IP-based network or a general purpose PC in the clear, then the battle to secure the data has likely already been lost.

Issue, as Brian points out, is now you are locked into verifone for your PIN pads, and you are paying a per transaction fee for your encryption. The latter is what is stopping more of us from going to encryption. If you are a retailer on razor thin margins, a couple cents a transaction adds up quick.

We actually looked at going with an encryption model where WE host the decryption gateway so that we could avoid the per transaction cost, but essentially verifone doesnt want to support it, and all the players are pricing you out of doing so in an effort to gain business.

Verifone is pushing [and pushing HARD] their new Point service, which actually moves the entire POS application to the pin pad (Point is a PA-DSS app) and your register terminal becomes dumb. The pin pad never communicates with your POS during the transaction, the only communication is post transaction to tell the register “yep the transaction is paid for.”

I would disagree on the last point you make, because E2E encryption and tokenization secure different vectors, so there is really no “this one is better.” Encryption protects the card number in transit, but if you store card data, you still have a huge attack surface – tokenization protects stored data, but the card data is at risk during the transaction process.

“In a lot of cases, it’s really less about security and more about simplifying PCI compliance to reduce the scope of the audit, because you get big rewards when you don’t store credit card data,” Litan said. “Unfortunately, the PCI standards don’t have the same kind of rewards when it comes to securing card data in-transit [across a retailer’s internal network and systems] which is what point-to-point encryption addresses.”

Your source is dead wrong on this one. You can significantly reduce your PCI scope with encryption, because you take a number of systems either out of scope, or to a significantly reduced scope for controls. If encryption is done right, the only devices that are fully in scope are your pin pads, everything else comes out of scope or is reduced because they cannot effect the security of the transaction any more.*